Awsume: An Efficient AWS Multi-Account Role Switching CLI Tool

Problems:

Managing multiple AWS accounts roles often becomes a complex process due to the need for secure switching between accounts and roles, retrieving and rotating credentials, and maintaining active sessions. The lack of a versatile tool that simplifies these tasks can lead to inefficiencies and potential security risks.

Solutions

awsume is a command-line tool designed to simplify and secure switching between AWS accounts and roles. It automatically retrieves and rotates credentials, facilitating smooth transitions and improving security in multi-account settings.

Untitled

awsumeis an incredibly handy tool that has been designed specifically to manage session tokens, as well as assume role credentials. The functionality it offers is vast and diverse, ensuring that it is capable of catering to a wide array of needs. Here are just a few examples of the multitude of tasks you can accomplish using this versatile tool:

https://miro.medium.com/v2/resize:fit:954/1*LzcRDDTxqMfJV-bcIQLUVw.gif

source : https://awsu.me/

Pre-requisite:

  1. AWS CLI must be installed on your machine along with the aws-sso-util tools.
  2. Python must be installed.

Getting Started with awsume:

Installation

To install AWS CLI, please follow the instructions provided in this link: https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html

Also for aws-sso-util installation please go through the following link: https://github.com/benkehoe/aws-sso-util

Lets get started installing awsume tool

Install awsume quickly and easily:

$ pip install awsume

Configurations:

Configure your AWS profiles and roles in ~/.aws/credentials and ~/.aws/config, similar to AWS CLI configurations.

Sample Config file for SSO Organization:

[profile myprofile]
sso_start_url = <your_sso_url>
sso_region = <aws_sso_region>
sso_account_name = <aws_account_name>
sso_account_id = <aws_account_id>
sso_role_name = <your_sso_role>
region = <aws_region>
credential_process = aws-sso-util credential-process --profile myprofile
sso_auto_populated = true

SSO logins:

aws sso login --profile <profile_name>

Listing profiles:

To list all profiles available:

$ awsume --list-profiles
or
$ awsume -l

AWS Role Assumption:

To assume a role, use the command:

$ awsume <profile-name>

This action switches your environment to use the credentials of the specified profile.

Untitled

Keep Sessions Active:

For sessions that need to stay active beyond the default expiration, especially with temporary credentials:

$ awsume -a <profile-name>

This auto-refresh feature is essential for uninterrupted work.

Advanced Features

  • Role Chaining: For complex AWS setups, awsumesupports chaining roles.
  • Plugin System: Extend awsume’s functionality with custom plugins to suit your workflow.

Beyond the Command Line: ‘awsume’ in Python

[awsume](https://awsu.me/advanced/non-interactive-awsume.html) is not just for the terminal. It integrates seamlessly with Python, providing an API to manage AWS sessions within your applications.

from awsume.awsumepy import awsume

session = awsume('Profile', '-r', region='us-west-2', mfa_token='123123')

# The session object can now be used for AWS operations
client = session.client('sts')
result = client.get_caller_identity()

Why is awsume Essential?

awsume simplifies the management of multiple AWS accounts. It allows for quick and safe switching between different accounts and roles. It’s beneficial for developers, cloud engineers, and AWS admins, as it reduces time spent on managing account credentials, letting you focus more on your tasks.

Conclusions

awsume is a hidden gem for managing aws roles within multiple AWS accounts. It works great both in command-line and Python scripts. By using awsume, you can say goodbye to the hassle of multi-account management and enjoy a smoother AWS experience.